System Center

Decided to create a video that walked through the exact process to deploy corporate applications to iOS (and Android) through Intune while actually performing the management with Configuration Manager. Additionally I lock it down so corporate data cannot flow from corporate apps to personal apps. Available at https://youtu.be/wfWoLLx8WeA.

Been swamped lately as started writing a new book, Mastering Azure Infrastructure Services and also doing a few other projects but this weekend recorded three videos related to a few different topics including Windows 10 Virtual Desktops, Azure Auto-Scale and Operations Manager to Service Manager Alert Lifecycles! Enjoy.

Decided to play with the Windows Azure Pack and specifically offer a hybrid VM deployment which would deploy either via SCVMM to a cloud OR deploy to Azure depending on if the user desired high availability for the VM. I walk through this in video http://youtu.be/wLANreQyk3c and mini version can be seen below.

If you decide to play with this there are a number of things you need to do:

The Orchestrator service account needs to be a SCVMM administrator (as it interfaces via PowerShell to update VM status)

You will need configurations in Orchestrator for Service Manager and SCVMM

You will need to have downloaded your Azure publish settings file which you can do with command Get-AzurePublishSettingsFile and should save this as c:dataMicrosoft Azure Subscription.publishsettings (if you follow my standard configuration)

You need the Azure and SCVMM PowerShell cmdlets installed on the Runbook server or whatever server you configure the PowerShell to run on (I use localhost which means it runs on the runbook server but in larger environment you would likely have a specific PowerShell server(s) )

There are lots of places in the PowerShell with < > that you need to replace with your values and ideally in Get Clouds for user you should use real logic to set values!

In Create Azure VM you need to replace subscription name with your own name as in the Azure Publish Settings File

Make sure the same RDP file is in c:data as used in Create RDP File activity

Make sure the users in AD have the mail attribute populated

Also I really don’t have error handling in this runbook, it was more a demonstration of what can be done and integration with Windows Azure Pack. I also enabled ADFS for my Windows Azure Pack tenant site and I’ll write that up as a FAQ on http://www.ntfaq.com over the next 2 weeks. I already have FAQs on installing Windows Azure Pack.

This runbook was done as one long runbook. Normally you would not do that, you would have separate runbooks but to demonstrate the flow and how simple it really is I left it as one big runbook but wanted to be clear this is not best practice.

It started out very simple. I was preparing for a client that wanted to allow business groups to schedule the deployment of patches to their servers via Configuration Manager using Orchestrator and Service Manager with some approval workflow. This seemed the right approach and I decided to quickly setup a little example of what this would look like but instead of using Configuration Manager I decided to just be able to run any PowerShell command on the computers in the passed Active Directory group (which contained the computers for that business group). The final solution is walked through at http://youtu.be/RFLhyMhJOOc and I have a bunch of assets listed below:

I wanted to briefly go over the key steps here that are walked through in the video:

Firstly I decided to do the actual logic of finding all the machines in the passed AD group using PowerShell and within the PowerShell actually perform the actions. You could have done this with Service Manager activities but the direction is PowerShell so I decided to implement the main logic in PowerShell but use Orchestrator activities for interacting with Service Manager such as update Service Request status etc. The basic PowerShell is below:

In this basic PowerShell I am hardcoding the AD group and the command to run but when it gets into Orchestrator I’ll replace that with the information sent from Service Manager. Note I use a parameter to pass to the scriptblock since the actual variable is local to my PowerShell session and NOT the one I create remotely on each machine.

I then create a runbook in Orchestrator which essentially uses this PowerShell which also hooks into Service Manager to update the Service Request status.

In Service Manager I synchronize with Orchestrator to get the Runbook in the library then create a Runbook Automation Activity template and then a new Service Request template which has two activities. The first is a review activity which is for the submitting users line manager (as defined in Active Directory) and the second calls the Runbook Automation Activity template and defines the Runbook ID (RBId) and the Service Request ID (SRId) which is the Work Item – ID for each of the respective values. This is shown below.

Because when this all runs via Orchestrator it runs as the Orchestrator service account I made the Orchestrator service account a local administrator on each server using the Group Policy Preferences local group feature and added the service account. Other options could have been to specify a credential as part of the actual Invoke-Command within the PowerShell but I liked the Group Policy option.

I created email templates for the review activity and notification the Service Request is complete and then configured those to be used as part of the workflows.

I created Request Offerings and Service Offerings and the key point is for end users to see them I created new Catalog Groups, one for Request Offerings and one for Service Offerings that dynamically added all published of each type. I then created a new User Role that was for all Domain Users that included both those new Catalog Groups.

I then walk through it all!

AGAIN DO NOT DEPLOY THIS IN PRODUCTION.

THE ABILITY FOR ANY USER TO RUN ANY COMMAND ON EVERY SERVER IN A PASSED GROUP IS VERY BAD. THIS WAS AN EXAMPLE ONLY !!!!

This is an example only and you should modify the actions performed in Orchestrator to your own specific needs.